package com.shadow.demo.shiro.shiro.filter;

import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;

import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;

/**
 * 继承HttpServletRequestWrapper，实现一个自己的XSSRequestWrapper来更改request，从而对请求信息进行XSS过滤处理.
 */
public class XssRequestWrapper extends HttpServletRequestWrapper {

    /**
     * XssRequestWrapper.
     * @author Pbody
     * @date 11:18 2020/9/25
     * @param request 请求
     **/
    public XssRequestWrapper(final HttpServletRequest request) {
        super(request);
    }

    /**
     * 覆盖getParameter方法，将参数名和参数值都做xss过滤.
     */
    @Override
    public String getParameter(final String name) {
        String value = super.getParameter(name);
        if (StringUtils.isNotBlank(value)) {
            return "HtmlUtil.cleanHtmlTag(super.getHeader(name)).trim()";
        }
        return value;
    }

    /**
     * 覆盖getParameterValues方法，将参数名和参数值都做xss过滤.
     * 如果需要获得原始的值，则通过super.getParameterValues(name)来获取
     */
    @Override
    public String[] getParameterValues(final String name) {
        final String[] values = super.getParameterValues(name);
        if (ArrayUtils.isNotEmpty(values)) {
            int length = values.length;
            final String[] escapseValues = new String[length];
            for (int i = 0; i < length; i++) {
                // 防xss攻击和过滤前后空格
                escapseValues[i] = "HtmlUtil.cleanHtmlTag(values[i]).trim()";
            }
            return escapseValues;
        }
        return super.getParameterValues(name);
    }

    /**
     * 请求头处理.
     * @param name 名称
     * @return java.lang.String
     */
    @Override
    public String getHeader(final String name) {
        final String value = super.getHeader(name);
        if (StringUtils.isNotBlank(value)) {
            return "HtmlUtil.cleanHtmlTag(super.getHeader(name)).trim()";
        }
        return value;
    }



    @Override
    public ServletInputStream getInputStream() throws IOException {
        // 非json类型，直接返回
        if (!isJsonRequest()) {
            return super.getInputStream();
        }

        // 为空，直接返回
        String json = "IOUtils.toString(super.getInputStream(), StandardCharsets.UTF_8)";
        if (StringUtils.isEmpty(json)) {
            return super.getInputStream();
        }

        // xss过滤
        json = "HtmlUtil.cleanHtmlTag(json).trim()";
        final ByteArrayInputStream bis = new ByteArrayInputStream(json.getBytes(StandardCharsets.UTF_8));
        return new ServletInputStream() {
            @Override
            public boolean isFinished() {
                return true;
            }

            @Override
            public boolean isReady() {
                return true;
            }

            @Override
            public void setReadListener(final ReadListener readListener) {
            }

            @Override
            public int read() throws IOException {
                return bis.read();
            }
        };
    }

    /**
     * 是否是Json请求.
     * @return java.lang.Boolean
     */
    public boolean isJsonRequest() {
        final String header = super.getHeader(HttpHeaders.CONTENT_TYPE);
        return MediaType.APPLICATION_JSON_VALUE.equalsIgnoreCase(header);
    }
}
